> The issue I'm having is to automatically add an oxauth client configuration, a backend ActiveDirectory, custom login script and custom cacherefresh settings.
For this you could build a custom image or have another container that adds information to the LDAP, which I presume you do already according to "configuring ActiveDirectory (doing that straight into opendj) and configuring the cache-refresh". I think creating a new container job that adds all your necessary clients to a new config as the best option.
> I'm still thinking about a possible approach on how to achieve updating the cacert & nginx key/certificates with our own key/cert without breaking everything but I'm not sure which ones I have to update.
You can modify the data in Consul to change out your ssl certs. They're saved as `ssl_cert` and `ssl_key`, if I'm remembering correctly. Once you've made those modifications, you can then do a `config-init dump` command to save the `config.json` to disk so you can back it up and use to redeploy at a later time with basically the same configuration with `config-init load`.
See [the technical documentation](https://gluu.org/docs/de/technical/#config-init) for further use cases.
Note that some of the configuration is "permanently" added to LDAP and changing the `config.json` or Consul configuration directory won't impact those configuration settings.